With Internet use forming an ever greater part of day to day life, security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. These exploits are delivered in or through a number of mechanisms, such as spearfish emails, clickable links, documents, executables, or archives. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.
To counter these threats, governments, enterprises, and individuals use a range of security applications and services. Typically, these applications and services scan a device for a signature or other sort of indication of a security exploit. Responsive to finding the signature or indication, the applications and services quarantine or delete the exploit. The applications and services often miss more sophisticated security exploits, however. For example, security applications and services lack an ability to correlate detected events. Such events may each, on their own, be innocent, but when observed together or in some sequence, the events may be indicative of security exploit activity.